←back to thread

Writing "/etc/hosts" breaks the Substack editor

(scalewithlee.substack.com)
603 points scalewithlee | 8 comments | 25 Apr 25 13:48 UTC | HN request time: 0.677s | source | bottom
Show context
matt_heimer ◴[25 Apr 25 14:33 UTC] No.43794013[source]
The people configuring WAF rules at CDNs tend to do a poor job understanding sites and services that discuss technical content. It's not just Cloudflare, Akamai has the same problem.

If your site discusses databases then turning on the default SQL injection attack prevention rules will break your site. And there is another ruleset for file inclusion where things like /etc/hosts and /etc/passwd get blocked.

I disagree with other posts here, it is partially a balance between security and usability. You never know what service was implemented with possible security exploits and being able to throw every WAF rule on top of your service does keep it more secure. Its just that those same rulesets are super annoying when you have a securely implemented service which needs to discuss technical concepts.

Fine tuning the rules is time consuming. You often have to just completely turn off the ruleset because when you try to keep the ruleset on and allow the use-case there are a ton of changes you need to get implemented (if its even possible). Page won't load because /etc/hosts was in a query param? Okay, now that you've fixed that, all the XHR included resources won't load because /etc/hosts is included in the referrer. Now that that's fixed things still won't work because some random JS analytics lib put the URL visited in a cookie, etc, etc... There is a temptation to just turn the rules off.

replies(14): >>43794129 #>>43794136 #>>43794174 #>>43794203 #>>43794226 #>>43794234 #>>43794368 #>>43794502 #>>43795948 #>>43796540 #>>43798420 #>>43800243 #>>43804110 #>>43805902 #
mjr00 ◴[25 Apr 25 14:55 UTC] No.43794226[source]
> I disagree with other posts here, it is partially a balance between security and usability.

And economics. Many people here are blaming incompetent security teams and app developers, but a lot of seemingly dumb security policies are due to insurers. If an insurer says "we're going to jack up premiums by 20% unless you force employees to change their password once every 90 days", you can argue till you're blue in the face that it's bad practice, NIST changed its policy to recommend not regularly rotating passwords over a decade ago, etc., and be totally correct... but they're still going to jack up premiums if you don't do it. So you dejectedly sigh, implement a password expiration policy, and listen to grumbling employees who call you incompetent.

It's been a while since I've been through a process like this, but given how infamous log4shell became, it wouldn't surprise me if insurers are now also making it mandatory that common "hacking strings" like /etc/hosts, /etc/passwd, jndi:, and friends must be rejected by servers.

replies(12): >>43794339 #>>43794401 #>>43794476 #>>43794485 #>>43794676 #>>43794868 #>>43795485 #>>43797735 #>>43799077 #>>43799776 #>>43800796 #>>43802890 #
1. smeg_it ◴[25 Apr 25 15:46 UTC] No.43794868[source]
I'm no expert, but I did take a CISSP course a while ago. One thing I actually remember ;P, is that it recommended long passwords in in lieu of the number, special character, upper, lower ... I don't remember the exact wording of course and maybe it did recommend some of that, but it talked about having a sentence rather than all that mess in 6-8 characters, but many sites still want the short mess that I never will actually remember
replies(2): >>43795050 #>>43795322 #
2. mcoliver ◴[25 Apr 25 15:58 UTC] No.43795050[source]
entropy is stronger than complexity. https://xkcd.com/936/
replies(1): >>43795249 #
3. joseda-hg ◴[25 Apr 25 16:10 UTC] No.43795249[source]
I wonder how many people have used Correct Horse Battery Staple as a password thanks to this comic
replies(2): >>43797263 #>>43797751 #
4. vlovich123 ◴[25 Apr 25 16:15 UTC] No.43795322[source]
While the password recommendation stuff is changing (the US government updating it guidelines last year), it’s generally best practice to not share passwords which itself implies using a password manager anyway which makes the whole “long passphrase” vs “complex” password moot - just generate 32 lowercase random characters to make it easier to type or use the autogenerated password your password manager recommends.

The long passphrase is more for the key that unlocks your password manager rather than the random passwords you use day to day.

replies(1): >>43795789 #
5. kbolino ◴[25 Apr 25 16:44 UTC] No.43795789[source]
There's also login passwords, and depending on how many systems you have to log into, these can be quite numerous. There are some attempts to address this with smartcards and FIDO tokens and so on, but it's not nearly universal yet. At least SSH keys are common for remote login nowadays, but you still need to log into some computer directly first.
replies(1): >>43797247 #
6. vlovich123 ◴[25 Apr 25 18:48 UTC] No.43797247{3}[source]
I find it rare to have a huge number of machines to log into that aren't hooked up to a centralized login server. Still, nothing prevents you from having passwords for each individual machine that needs it. It's cumbersome to type it in but it works, which is why I recommended all lowercase (faster to type on a mobile device).
7. D-Coder ◴[25 Apr 25 18:50 UTC] No.43797263{3}[source]
Ah, just mix them up randomly: Staple Battery Correct Horse!
8. smj-edison ◴[25 Apr 25 19:37 UTC] No.43797751{3}[source]
> Makes password "xkcd.com/936"